You are not currently logged in. If you do not have a user account then please consider creating one and logging in before you post your comment. This will allow you to track replies to your comment, and take part in the site much more freely.

To add your comment, fill in all the boxes below and then preview it to make sure you're happy with the way that it looks.

This is the comment you were replying to, attached to the article Struggling to implement PCI compliance:

#14 Re: Why apply firewall AFTER bringing up interface? Posted by Anonymous (82.227.xx.xx) on Sun 23 Mar 2008 at 01:09 Good point. My little script does indeed use IP numbers rather than domain names. But: is DNS resolution needed before a packet arrives? Presumably no packets can arrive until the interfaces have been brought up. I don't know whether iptables resolves the name at rule intialisation or whenever a packet arrives. If it only resolves the domain name when the rule is initialised, then presumably it will fail if the IP number later changes, cancelling one of the reasons to use a name instead of an IP number in the first place. I remember being discouraged from using names instead of IP numbers by the following section of man iptables: -s, --source [!] address[/mask] Source specification. Address can be either a network name, a host- name (please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea), a network IP address (with /mask), or a plain IP address. [more...]

Inappropriate comments will be removed.

Username:

Password:

[ Advanced Login ]

Register Account